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Foreword 


It  is  my  great  pleasure  to  present  another  of  the  Wright 
Flyer  Papers  series.  In  this  series,  Air  Command  and  Staff 
College  (ACSC)  recognizes  and  publishes  the  “best  of  the 
best”  student  research  projects  from  the  prior  academic 
year.  The  ACSC  research  program  encourages  our  stu¬ 
dents  to  move  beyond  the  school’s  core  curriculum  in  their 
own  professional  development  and  in  “advancing  aero¬ 
space  power.”  The  series  title  reflects  our  desire  to  perpet¬ 
uate  the  pioneering  spirit  embodied  in  earlier  generations 
of  airmen.  Projects  selected  for  publication  combine  solid 
research,  innovative  thought,  and  lucid  presentation  in  ex¬ 
ploring  war  at  the  operational  level.  With  this  broad  per¬ 
spective,  the  Wright  Flyer  Papers  engage  an  eclectic  range 
of  doctrinal,  technological,  organizational,  and  operational 
questions.  Some  of  these  studies  provide  new  solutions  to 
familiar  problems.  Others  encourage  us  to  leave  the  famil¬ 
iar  behind  in  pursuing  new  possibilities.  By  making  these 
research  studies  available  in  the  Wright  Flyer  Papers, 
ACSC  hopes  to  encourage  critical  examination  of  the  find¬ 
ings  and  to  stimulate  further  research  in  these  areas. 


John  T.  Sheridan,  Brig  Gen  (Sel),  USAF 
Commandant 


Preface 


This  paper  provides  a  brief  summary  of  the  direct  costs 
associated  with  automation.  It  also  provides  a  framework 
for  designers,  managers,  and  pilots  in  implementing  meas¬ 
ures  to  mitigate  these  costs.  Safety  improvements  are  not 
the  province  of  any  one  of  these  groups.  Instead,  an  inte¬ 
grated  effort  between  these  communities  is  necessary  to 
promote  aviation  safety.  I  have  assumed  that  the  reader 
has  a  working  knowledge  of  glass  cockpit  aircraft  as  well 
as  a  basic  understanding  of  human  factors  issues.  The 
scope  of  this  project  is  narrowed  to  focus  exclusively  on 
automation  issues  arising  from  studies  of  transport  air¬ 
craft.  In  spite  of  this  specific  focus  on  aviation,  the  issues 
raised  here  apply  across  a  wide  range  of  highly  automated 
domains.  I  thank  Lt  Col  Steven  A.  Kimbrell  for  his  advice 
and  assistance  on  this  project. 
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Abstract 


Cockpit  automation  has  delivered  many  promised  bene¬ 
fits,  such  as  improved  system  safety  and  efficiency;  how¬ 
ever,  at  the  same  time  it  has  imposed  system  costs  that  are 
often  manifest  in  the  forms  of  mode  confusion,  errors  of 
omission,  and  automation  surprises.  An  understanding  of 
the  nature  of  these  costs  as  well  as  associated  influencing 
factors  is  necessary  to  design  adequately  the  future  auto¬ 
mated  systems  that  will  be  required  for  Air  Mobility  Com¬ 
mand  aircraft  to  operate  in  the  future  air  traffic  environ¬ 
ment.  This  paper  reviews  and  synthesizes  human  factors 
research  on  the  costs  of  cockpit  automation.  These  results 
are  interpreted  by  modeling  the  automated  cockpit  as  a 
supervisory  control  system  in  which  the  pilot  works  with, 
but  is  not  replaced  by,  automated  systems.  From  this 
viewpoint,  pilot  roles  in  the  automated  cockpit  provide  new 
opportunities  for  error  in  instructing,  monitoring,  and  in¬ 
tervening  in  automated  systems  behavior.  These  opportu¬ 
nities  for  error  are  exacerbated  by  the  limited  machine  co¬ 
ordination  capabilities,  limits  on  human  coordination 
capabilities,  and  properties  of  machine  systems  that  place 
new  attention  and  knowledge  demands  on  the  human  op¬ 
erator.  In  order  to  mitigate  the  risks  posed  by  these  known 
opportunities  for  error  and  associated  influencing  factors, 
a  system  of  defenses  in  depth  is  required  involving  inte¬ 
grated  innovations  in  design,  procedures,  and  training. 
The  issues  raised  in  this  paper  are  not  specific  to  transport 
aircraft  or  the  broader  aviation  domain  but  apply  to  all 
current  and  future  highly  automated  military  systems. 


Background 

The  laws  that  govern  the  behavior  of  human-machine 
systems  are,  in  many  ways,  analogous  to  the  laws  that 
govern  our  physical  world.  Actions  that  affect  any  one  sys¬ 
tem  component  invariably  have  ripple  effects  and  some¬ 
times  unforeseen  interactions  with  other  system  compo¬ 
nents.  For  example,  while  the  evolution  of  powerful 
automated  cockpit  systems  has  allowed  for  the  current 
high  levels  of  safety  and  efficiency  in  the  aviation  system, 
it  has  also  resulted  in  new  types  of  potentially  serious  sys¬ 
tem  failures  in  the  form  of  breakdowns  in  human- machine 
coordination.  Observed  performance  problems  in  the 
human-machine  cockpit  team  are  discussed  in  this  paper. 
The  goal  is  to  provide  Air  Mobility  Command’s  (AMC)  de¬ 
signers,  administrators,  and  operators  an  understanding 
of  the  known  risks  associated  with  the  automated  cockpit 
systems  that  will  be  required  to  operate  in  the  future  air 
traffic  environment.  Based  on  this  assessment  of  known 
risks,  an  integrated  set  of  measures  can  be  developed  to 
mitigate  the  risks  associated  with  the  introduction  of  these 
automated  systems. 

The  evolution  of  highly  capable  automated  cockpit  sys¬ 
tems  has  provided  substantial  benefits  to  the  aviation  sys¬ 
tem.  Automated  cockpit  systems  are  the  driving  force  be¬ 
hind  the  safe,  precise,  and  economical  operations  that 
have  allowed  the  aviation  system  capacity  to  increase  dra¬ 
matically  over  the  last  50  years  while  providing  correspon¬ 
ding  increases  in  safety  and  economy.  Studies  indicate 
that  air  travel  is  one  of  the  safest  transportation  mediums 
with  an  accident  rate  of  less  than  two  per  million  depar¬ 
tures.  ^  Additionally,  the  introduction  of  automated  naviga¬ 
tion  systems  and  the  flight  management  computer  (FMC) 
has  provided  substantial  fuel  savings  and — in  combination 
with  automated  system  controllers — has  allowed  for  the 
elimination  of  the  navigator  and  flight  engineer,  thus  re¬ 
ducing  training  and  personnel  costs. 

Reports  estimate  that  over  the  next  10  years  aviation 
traffic  growth  will  continue  at  a  5  percent  yearly  rate.^ 
Since  the  world  aviation  system  is  already  nearing  capac¬ 
ity,  significant  system  changes  will  be  necessary  to  facili¬ 
tate  this  anticipated  growth.  New  and  increasingly  power- 
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ful  automated  systems  will  be  required  to  implement  the 
future  air  traffic  environment.  For  example,  “free  flight”  is 
one  proposal  currently  under  development  to  increase  the 
efficiency  and  capacity  of  the  aviation  system  by  allowing 
pilots  to  fly  random  routes  and  altitudes.  This  implemen¬ 
tation  will  require  the  addition  of  automated  cockpit  plan¬ 
ning  and  collision  avoidance  aids.^  Although  many  AMC 
aircraft  are  currently  undergoing  extensive  cockpit  up¬ 
grades,  they  will  likely  require  further  upgrades  to  comply 
with  the  requirements  of  the  future  air  traffic  environment. 

In  spite  of  these  substantial  observed  and  potential  ben¬ 
efits,  cockpit  automation  also  imposes  costs  on  the  avia¬ 
tion  system.  These  costs  are  frequently  expressed  in  the 
form  of  accidents  and  incidents  attributed  to  the  break¬ 
downs  in  coordination  between  the  pilot  and  automated 
systems.  While  the  overall  rate  of  aviation  accidents  has 
declined  dramatically  over  the  last  30  years,  little  improve¬ 
ment  has  been  seen  over  the  last  15  years  despite  the  con¬ 
tinued  evolution  and  improvement  of  automated  cockpit 
systems  such  as  the  Ground  Proximity  Warning  System 
(GPWS)  and  Traffic  Collision  Avoidance  System  (TCAS)."^  A 
closer  examination  of  the  aircraft  accident  data  indicates 
that  human  error  accounts  for  between  65  and  85  percent 
of  all  accidents.  In  many  cases,  this  causal  human  error 
can  be  attributed  to  inappropriate  human  interaction  with 
automated  systems.^ 

For  example,  on  24  April  1994  an  Airbus  300-600 
crashed  while  on  approach  to  Nagoya,  Japan.  During  the 
approach  the  copilot  inadvertently  engaged  the  aircraft’s 
“go-around  mode,”  which  caused  the  automated  systems 
to  attempt  to  fly  away  from  the  ground  using  the  aircraft 
pitch  trim  system,  while  the  pilots  attempted  to  continue 
the  landing  approach  via  input  to  the  elevator.  The  pilots 
were  unable  to  determine  that  the  pitch  trim  input  of  the 
autopilot  system  was  causing  difficulties  controlling  the 
aircraft.  Additionally,  the  design  of  the  A300  autopilot  (at 
that  time)  did  not  allow  the  pilots  to  override  the  autopilot 
by  use  of  opposing  control  stick  pressure.  Thus,  the  pilots 
and  automated  systems  continued  to  struggle  for  control, 
with  the  aircraft  eventually  pitching  up  to  near  vertical, 
stalling,  and  crashing  on  the  approach  end  of  the  run¬ 
way — killing  264  passengers  and  crew.® 
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This  accident  illustrates  a  phenomenon  that  human  fac¬ 
tors  researchers  refer  to  as  automation  surprises  (i.e.,  fail¬ 
ures  of  the  human  operator  to  track,  monitor,  or  anticipate 
the  actions  of  automated  systems  leading  to  unintended 
system  behavior).^  A  better  understanding  of  the  factors 
that  contribute  to  these  automation  surprises  will  allow 
AMC  to  determine  and  counteract  the  risks  that  may  arise 
from  implementation  of  new  automated  cockpit  systems. 
This  paper  discusses  the  human  role  in  automated  sys¬ 
tems  and  reviews  the  factors  that  research  has  shown  may 
influence  breakdowns  in  coordination  between  human  and 
machine  systems.  Based  on  these  findings,  1  discuss  con¬ 
siderations  for  an  integrated  systems  approach  to  counter¬ 
act  these  risks.  Since  the  focus  is  on  automation  upgrades 
to  AMC  aircraft,  1  concentrate  specifically  on  cockpit  au¬ 
tomation  in  transport  aircraft.  However,  these  findings  are 
also  applicable  to  the  broader  aviation  domain,  as  well  as 
other  highly  automated  systems  necessary  to  implement 
the  armed  services’  joint  vision  that  will  be  installed  in  a 
wide  variety  of  military  systems. 

Human  Role  in  Automated  Systems 

In  order  to  understand  the  risks  of  automation,  we  must 
first  understand  the  relationship  between  humans  and  au¬ 
tomated  systems.  While  it  is  tempting  to  assume  that  au¬ 
tomated  systems  function  independently  of  the  human  op¬ 
erator,  this  is  not  the  case.  As  Nehemiah  Jordan  first  noted 
in  1963 — more  than  35  years  ago — humans  and  machines 
are  not  independent  but  instead  are  complementary.®  They 
must  work  together  to  achieve  desired  system  perform¬ 
ance.  Even  the  most  highly  automated  systems  still  re¬ 
quire  the  presence  of  a  human  operator  to  monitor  system 
performance  and  intervene  in  the  case  of  system  abnor¬ 
malities  and  emergencies.®  In  order  for  humans  and  ma¬ 
chines  to  work  together  to  achieve  system  goals,  they  need 
to  develop  or  engage  in  processes  and  activities  that  en¬ 
sure  coordination  and  avoid  conflict.  The  roles  of  the 
human  operator  in  highly  automated  systems  provide  new 
opportunities  for  errors  and  undesired  system  perform- 
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ance  associated  with  the  introduction  of  automated  sys¬ 
tems. 

Prior  to  the  introduction  of  automated  cockpit  systems, 
the  primary  role  of  the  pilot  was  to  directly  control  aircraft 
performance  by  continuous  inputs  via  the  flight  controls 
and  throttle(s).  As  automated  systems  have  become  more 
powerful,  they  have  gradually  assumed  direct  control  of 
aircraft  performance,  while  the  pilot’s  role  has  shifted  to  a 
monitor  of  automated  system  performance.  For  example, 
other  than  takeoff  and  (usually)  landing,  most  of  the  direct 
aircraft  control  in  a  modern  transport  aircraft  is  delegated 
to  automated  systems — a  control  scheme  known  as  super¬ 
visory  control. 

While  this  shift  in  roles  has  led  to  more  precise  and  eco¬ 
nomical  control  of  aircraft  performance,  it  has  also  led  to 
a  change  in  the  nature  of  observed  system  errors.  In  gen¬ 
eral,  since  automated  systems  directly  control  aircraft  per¬ 
formance,  errors  of  commission — incorrect  control  actions — 
have  decreased.  However,  errors  of  omission — failures  of 
the  pilot  to  act  and  intervene  when  required — have  in¬ 
creased.  “  In  order  to  better  understand  the  reasons  be¬ 
hind  this  trend  and  to  predict  the  errors  that  may  be  ob¬ 
served  with  the  introduction  of  future  automated  systems, 
the  following  section  examines  in  detail  the  human  roles  in 
supervisory  control  systems  and  discusses  the  types  of  er¬ 
rors  that  may  arise  during  each  role. 

Figure  1  depicts  a  general  supervisory  control  system. 

In  this  type  of  system,  the  human  operator  provides  higher 
level  goals  to  the  automated  system  through  interaction 
with  what  is  known  as  a  human  interactive  computer 
(HlC).  The  HlC  supplies  the  means  for  the  operator  to  give 
control  instructions  and  monitor  system  behavior.  For  ex¬ 
ample,  on  the  modern  flight  deck  pilots  provide  heading, 
altitude,  and  routing  targets  through  both  the  FMC  and 
the  autopilot  Mode  Control  Panel  (MCP).  They  receive  feed¬ 
back  on  aircraft  performance  through  the  primary  flight 
display  (PFD),  Navigation  Display  (ND),  and  engine  indica¬ 
tions  depicted  on  the  Engine  Indication  and  Crew  Alerting 
System  (EICAS).  (For  those  unfamiliar  with  glass  cockpit 
aircraft,  see  the  appendix  for  a  brief  description.)  The 
HlCs,  in  turn,  interpret  these  pilot  inputs  and  (based  on 
environmental  conditions/aircraft  performance)  provide 
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inputs  to  the  servos  that  actually  control  aircraft  perform¬ 
ance  through  what  is  termed  task  interactive  computers 
(TIC). 


Figure  1.  Human  Roles  in  Supervisory  Control 

A  closer  examination  of  human  responsibilities  and 
tasks  in  supervisory  control  systems  reveals  potential 
problems  for  the  operator’s  ability  to  coordinate  human 
and  machine  performance.  Thomas  Sheridan  identifies  five 
basic  human  roles  in  supervisory  control:  planning,  teach¬ 
ing,  monitoring,  intervening,  and  learning. 

First,  in  the  planning  role  the  operator  decides  which 
variables  to  manipulate,  develops  criteria  to  assess  system 
actions,  and  determines  constraints  on  activities.  The 
planning  process  provides  the  basis  for  instructing  auto¬ 
mated  systems  and  monitoring  subsequent  system  behav¬ 
ior.  For  example,  upon  receipt  of  an  Air  Traffic  Control 
(ATC)  clearance,  the  crew  plans  by  determining  which  au- 
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topilot  mode  and  FMC  or  MCP  input  will  be  required  to  ex¬ 
ecute  that  clearance.  Second,  once  a  plan  is  developed,  the 
pilot  teaches  the  automated  systems  by  providing  the  ap¬ 
propriate  targets  or  instructions  to  automated  systems. 
Third,  after  providing  input  to  the  automated  systems,  the 
pilot  then  monitors  system  performance  to  ensure  the  sys¬ 
tem  is  performing  as  expected.  Monitoring  refers  to  all  ac¬ 
tivities  involved  in  adjusting  system  performance  in  re¬ 
sponse  to  small  deviations  (trimming),  as  well  as  fault 
detection  and  diagnosis.  In  the  current  cockpit,  the  pilot 
relies  primarily  on  information  presented  on  the  PFD  and 
ND  to  monitor  system  performance.  These  instruments 
give  indications  of  aircraft  attitude,  altitude,  airspeed,  and 
heading,  as  well  as  active  aircraft  mode(s)  and  command 
targets.  Fourth,  the  pilot  determines  whether  and  when  it 
is  necessary  to  intervene  with  machine  performance  (due 
to,  for  example,  task  completion,  machine  requests  for  as¬ 
sistance,  or  undesired  system  performance).  Fifth,  based 
on  the  given  plan,  inputs  to  the  system,  system  behavior, 
and  interventions  (if  any),  the  pilot  learns  lessons  that  may 
be  applied  to  system  control  in  future  situations. 

Errors  can  occur  at  each  of  these  five  steps.  During  the 
planning  stage,  errors  occur  when  the  pilot  develops  an  in¬ 
appropriate  plan  for  providing  data  to  the  automated  sys¬ 
tems.  These  errors  have  two  general  causes.  First  (as  is 
also  the  case  in  nonautomated  systems),  errors  can  occur 
when  pilots  fail  to  consider  all  available  information  (such 
as  fuel  state  or  existing  weather)  when  developing  the  plan. 
Second,  they  may  occur  when  pilots  do  not  understand 
how  the  automated  systems  will  respond  to  the  plan. 
These  failures  may  be  due  either  to  an  inadequate  mental 
model  of  system  operation  or  to  a  failure  to  understand  the 
current  operating  mode  of  the  aircraft.  Research  indicates 
that  due  to  the  complexity  of  automated  systems,  pilots 
frequently  possess  a  faulty  knowledge  of  automated  sys¬ 
tem  action,  with  a  majority  of  pilots  surveyed  indicating 
that  they  have  been  surprised  by  automated  system  ac¬ 
tions.  Also,  pilots  may  possess  the  relevant  knowledge 
but  may  be  unable  to  apply  that  knowledge  in  the  current 
context — a  phenomenon  known  as  inert  knowledge.  For 
example,  although  pilots  may  have  been  trained  on  pro¬ 
gramming  holding  patterns  into  the  FMC  database,  they 
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may  be  unable  to  retrieve  and  apply  that  information  when 
called  upon  to  do  so  during  flight.  Research  indicates  that 
inert  knowledge  is  a  frequent  problem  in  automated  sys¬ 
tems,  especially  when  the  required  actions  are  only  infre¬ 
quently  performed.  Finally,  pilots  may  develop  an  inap¬ 
propriate  plan  due  to  a  lack  of  knowledge  regarding  the 
operating  mode  of  the  aircraft — a  phenomenon  known  as 
mode  error.  This  problem  is  particularly  critical  since  in 
some  cases,  the  same  operator  input  will  result  in  drasti¬ 
cally  different  system  behavior  depending  on  the  operating 
mode  of  the  aircraft.  For  example,  an  A320  crashed  on  ap¬ 
proach  to  Strasbourg,  France,  in  January  1992  when  the 
crew  attempted  to  program  the  aircraft  to  fly  a  3.0-degree 
glide  path.  However,  due  to  the  active  autopilot  mode,  the 
input  was  interpreted  as  a  command  to  fly  a  3,300-foot  per 
minute  descent  rate.  As  a  result,  the  aircraft  crashed  sev¬ 
eral  miles  short  of  the  runway.  Mode  error  is  a  complex 
problem;  however,  it  is  often  tied  to  the  failure  of  cockpit 
mode  indications  to  capture  pilot  attention  as  well  as  the 
occurrence  of  automatic,  or  uncommanded,  mode  transi¬ 
tions  dictated  by  system  software. 

Errors  can  also  occur  in  the  teaching  role.  These  errors 
generally  take  the  form  of  data  input  errors — often  the  in¬ 
correct  entry  of  altitude  or  navigation  information.  This 
type  of  error  is  a  common  cause  of  deviations  from  ATC  in¬ 
structions.  While  incorrect  data  entry  is  generally  consid¬ 
ered  easier  to  detect  than  the  development  of  an  incorrect 
plan,i®  the  frequent  presence  of  a  time  delay  between  data 
entry  and  system  impact  can  act  against  error  detection. 
For  example,  navigation  data  entered  prior  to  taxi  may  not 
affect  aircraft  performance  until  many  hours  into  flight. 
The  1983  Korean  Air  Lines  shootdown  over  Russian  air¬ 
space  may  have  been  caused  by  such  a  data  entry  error, 

Errors  also  arise  during  pilot  monitoring.  These  errors 
are  failure  to  detect  deviations  from  desired  performance. 
These  deviations  from  desired  performance  may  arise  from 
inappropriate  plans,  incorrect  data  entry,  automated  sys¬ 
tem  malfunctions,  or  in  response  to  changes  in  the  task 
situation  (variations  in  temperature  or  wind,  system  fail¬ 
ures,  etc.).  Basic  psychological  research  indicates  that  hu¬ 
mans  are  relatively  poor  monitors  and  often  fail  to  detect 
critical  events.^®  Flight  simulator  studies  confirm  that  once 
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tasks  have  been  delegated  to  automated  systems,  human 
monitoring  is  often  insufficient  to  detect  problems. 

Beyond  human  monitoring  limitations,  there  are  two  ad¬ 
ditional  reasons  for  this  relatively  poor  monitoring  per¬ 
formance.  First,  in  highly  automated  cockpits,  research 
shows  that  pilots  have  gone  away  from  a  general  instru¬ 
ment  scan  towards  an  expectations-based  monitoring 
strategy  in  which  they  check  specific  cockpit  indications  to 
confirm  that  the  system  is  performing  as  expected.  As  a  re¬ 
sult,  pilots  are  less  likely  to  detect  automated  system  ac¬ 
tions  that  go  beyond  pilot  expectations. The  logic  in  some 
FMCs  dictates  that  when  a  change  is  made  to  the  landing 
runway,  all  current  vertical  constraints  are  deleted  be¬ 
cause  they  may  no  longer  be  appropriate.  Since  this  dele¬ 
tion  is  not  expected,  research  indicates  that  pilots  often  do 
not  check  for,  and  thus  do  not  detect,  this  situation.  Sec¬ 
ond,  automated  systems  often  provide  feedback  that  is  not 
sufficiently  salient  to  attract  pilot  attention.  One  feature  of 
automated  systems  is  that  they  present  more  information 
than  the  pilot  can  process  in  the  time  available  (informa¬ 
tion  overload). In  the  absence  of  salient  indications  (i.e., 
flashing  lights,  color  changes,  etc.),  pilots  often  do  not  pay 
attention  to  potentially  relevant  information.  One  simula¬ 
tor  study  found  that  nearly  25  percent  of  pilots  who  ac¬ 
cessed  a  particular  FMC  page  containing  information  re¬ 
quired  to  detect  an  error  failed  to  detect  the  error  due  to 
the  poor  layout  of  the  FMC  page  (a  cluttered  display  full  of 
numbers  of  similar  appearance). in  a  related  manner,  the 
design  of  the  FMC  also  provides  barriers  to  detecting  un¬ 
desired  performance.  The  FMC  contains  a  wealth  of  per¬ 
formance  and  environmental  data  but  can  only  show  a 
very  small  portion  of  that  data  at  any  one  time.  This  fea¬ 
ture  is  referred  to  as  the  keyhole  property  and  places  ad¬ 
ditional  demands  on  pilots  in  that  they  must  not  only  re¬ 
alize  that  they  need  a  particular  piece  of  information  but 
must  also  remember  where  that  piece  of  information  is  lo¬ 
cated  in  the  FMC  menu  structure. 

Even  if  errors  are  detected,  they  must  still  be  corrected 
to  prevent  undesired  system  performance.  In  order  to  suc¬ 
cessfully  intervene  in  undesired  system  behavior,  the  pilot 
must  correctly  assess  the  nature  of  the  problem  and  de¬ 
termine  an  appropriate  strategy  for  correcting  the  problem. 
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It  must  be  realized  that  in  many  situations  (e.g.,  when  re¬ 
quired  performance  is  beyond  human  capabilities — as  in  a 
category  III  instrument  landing  system  [ILS]  approach),  the 
pilot  cannot  simply  assume  manual  control  but  must  pro¬ 
vide  additional  instructions  to  automated  systems  to  cor¬ 
rect  the  problem.  Intervention  errors  occur  when  the  pilot 
is  unable  to  take  corrective  action  or  understand  why  a 
problem  has  occurred  or  what  to  do  to  correct  it.  In  the 
previously  cited  Nagoya  crash,  the  pilots  were  unable  to 
determine  why  the  system  was  exhibiting  the  observed  be¬ 
havior  (inadvertent  selection  of  the  go-around  mode),  were 
unable  to  determine  the  correct  action  (disengage  the  au¬ 
topilot),  and  were  prevented  by  system  design  from  over¬ 
riding  system  actions.  Research  indicates  that  pilots  often 
fail  to  understand  system  operation  and  often  do  not  un¬ 
derstand  available  methods  of  correcting  undesired  system 
behavior. 2'^  In  addition  to  these  findings,  the  growing  in¬ 
ability  of  operators  to  override  system  action  due  to  in¬ 
creased  machine  authority  is  particularly  troubling.  In 
essence,  since  pilots  may  lack  the  authority  to  override 
system  actions  they  (or  the  designers)  must  be  able  to  un¬ 
derstand  beforehand  the  implications  of  selecting  a  given 
course  of  action — something  that  may  be  difficult  or  im¬ 
possible,  particularly  if  aircraft  designers  have  failed  to 
consider  a  given  possibility.  The  1988  crash  of  an  A320 
while  on  a  demonstration  flight  in  France  was  caused  by 
the  inability  of  the  pilot  to  understand  and  override  pre¬ 
programmed  flight  limits  during  a  low-altitude,  low- speed 
pass  unforeseen  by  system  designers. 

Errors  may  occur  in  the  learning  process  when  pilots 
learn  the  wrong  lessons  or  fail  to  learn  from  past  experi¬ 
ences  with  automated  systems.  This  will  result  in  the  for¬ 
mation  and  perpetuation  of  an  inaccurate  mental  model  of 
system  activity,  thus  creating  difficulties  in  future  plan¬ 
ning,  monitoring,  and  intervening  with  automated  systems 
(table  1). 


Human-Machine  Coordination 


In  addition  to  the  general  opportunities  for  error  that 
arise  from  the  supervisory  control  process,  human  and 
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Table  1 

Human  Roles  and  Opportunities 
for  Error  in  Supervisory  Control 

Human 

Role 

General  Difficulty 

Caused  By 

Contributing 

Factors 

Monitoring 

Inappropriate  plan 
developed 

1.  Failure  to  consider 
relevant  Information 

2.  Failure  to  under¬ 
stand  automated 
system 

(a)  Inadequate 
mental 
model 

(b)  Inert 
knowledge 

(c)  Mode  errors 

Teaching 

Improper  data 
entry 

Wrong  data/ 
Incorrect  location 

Time  delays 

Monitoring 

Failure  to  detect 
the  need  to 
Intervene 

1.  Human  monitoring 
limits 

2.  Expectation-based 
monitoring 

3.  Inadequate  feedback 

(a)  Inadequate 
mental 
models 

(b)  Information 
overload 

(c)  Lack  of 
salient 
indications 

(d)  Keyhole 
property  of 
FMC 

Intervening 

Missed /incorrect 
Intervention  in 
undeslred  system 
behavior 

1.  Inability  to  under¬ 
stand  why  the 
problem  occurred 
or  what  to  do 

to  correct  It 

2.  Unable  to  correct 

(a)  Inadequate 
mental 
models 

(b)  Complex 
systems 

Learning 

Failure  to  learn 
from  experiences 

Inadequate 

mental 

model 

machine  coordination  abilities  and  requirements  also  cre¬ 
ate  automation- induced  performance  costs.  This  section 
defines  and  describes  coordination  and  describes  inherent 
human- machine  coordination  problems. 

Coordination  Theory  was  developed  at  the  Massachu¬ 
setts  Institute  of  Technology  Sloan  School  of  Management 
to  describe  coordination  and  cooperation  across  a  broad 
range  of  activities  and  can  be  used  as  a  theoretical  frame¬ 
work  for  understanding  human-machine  coordination.  Ac- 
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cording  to  this  theory,  coordination  is  defined  as  the  “man¬ 
agement  of  dependencies”  between  the  activities  and  goals 
of  actors. These  dependencies,  or  potential  conflicts,  can 
take  many  forms — including  constraints  on  shared  re¬ 
sources,  time  availability  and  scheduling,  restrictions  on 
simultaneous  operations,  as  well  as  incompatibilities  be¬ 
tween  different  task  and  sub  task  elements.  In  simpler 
terms,  human- machine  coordination  entails  the  processes 
required  to  detect  and  resolve  conflicts  between  the  goals 
and  actions  of  pilots  and  automated  systems. 

The  variety  and  multiple  sources  of  goals  and  actions  in 
a  typical  flight  complicate  cockpit  coordination.  For  exam¬ 
ple,  pilot  goals  may  include  navigating  from  airport  A  to 
airport  B,  following  ATC  directives,  following  prescribed 
procedures,  et  cetera.  Automated  systems  also  hold  a  wide 
variety  of  goals.  The  pilots  provide  most  of  these  goals  such 
as  heading,  airspeed,  and  altitude  targets.  The  aircraft  de¬ 
signers,  however,  provide  some  goals.  For  example,  au¬ 
topilots  (and  even  aircraft  control  software  in  the  most  ad¬ 
vanced  aircraft)  are  programmed  to  fly  above  a  minimum 
airspeed  and  below  a  maximum  airspeed  at  all  times.  In 
addition  to  goals  provided  by  the  operator  or  designer, 
some  machine  goals  may  be  provided  by  other  human  or 
machine  agents.  Data  link  will  allow  for  direct  communi¬ 
cation  between  cockpit  automation  and  ground-based 
human  and  machine  agents. Since  pilots  may  be  less 
aware  of  the  goals  provided  by  designers  and  outside 
agents,  coordination  of  these  goals  and  actions  may  be 
particularly  difficult. 

In  human-human  teams,  coordination  is  a  cooperative 
endeavor  in  which  all  parties  share  information  on  ongoing 
tasks  and  goals  and  actively  seek  to  resolve  misunder¬ 
standings  or  ambiguities.  Unfortunately,  automated  cock¬ 
pit  systems  possess  limited  communication  and  inferential 
abilities  that  severely  constrain  true  cooperation  among 
human  and  machine  agents. As  a  result  automated  sys¬ 
tems  are  unable  to  share  the  responsibility  for  coordinat¬ 
ing  intentions  and  actions  due  to  limited  machine  abilities 
as  well  as  the  dynamic  nature  of  the  aviation  domain. 
Therefore,  pilots  are  primarily  responsible  for  detecting 
and  resolving  present  and  future  conflicts  between  human 
and  machine  goals  and  actions.  This  responsibility  implies 
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that  pilots  must  understand  not  only  machine  goals  and 
actions  but  must  understand  how  automated  systems  will 
interpret  pilot  actions  as  well.  As  in  the  Nagoya  crash, 
human-machine  coordination  ceased  when  the  pilots  were 
unable  to  ascertain  autopilot  goals  (to  climb  away  from  the 
ground)  and  actions  (autopilot  induced  nose-up  trim  in¬ 
puts).  Additionally,  when  the  pilots  recognized  that  some¬ 
thing  was  wrong,  attempts  to  resolve  the  conflict  were  un¬ 
successful  because  they  did  not  realize  that  because  the 
autopilot  was  engaged  in  the  go-around  mode,  it  would  not 
correctly  interpret  their  corrective  actions  (in  the  go- 
around  mode,  the  trim  system  locked  out  pilot  nose- down 
trim  inputs). 

Research  indicates  four  major  machine  communication 
and  design  factors  that  contribute  to  breakdowns  in 
human-machine  coordination — an  inability  to  sense  oper¬ 
ator  goals,  an  inability  to  communicate  machine  goals,  an 
inability  to  communicate  a  lack  of  clear  understanding  of 
operator  inputs,  and  an  inability  to  communicate  proxim¬ 
ity  to  the  limits  of  automated  system  capabilities.  First, 
machines  generally  lack  an  ability  to  sense  operator 
goals. Thus,  designers  are  forced  to  make  (sometimes 
faulty)  assumptions  about  pilot  intentions  and  probable 
actions.  This  inability  to  sense  goals  has  been  shown  to 
lead  to  a  variety  of  potential  breakdowns  in  coordination. 
For  example,  when  a  pilot  changes  the  designated  landing 
runway  in  the  FMC,^"^  the  machine  does  not  know — and 
cannot  ask — ^whether  or  not  this  runway  change  will  also 
require  a  change  to  the  previously  constructed  vertical 
profile.  Then  the  system  design  is  forced  to  make  an  as¬ 
sumption  about  pilot  intent.  Since  in  many  cases  a  change 
in  runway  often  results  in  a  landing  in  the  opposite  direc¬ 
tion,  the  system  design  assumes  the  pilot  will  want  to  con¬ 
struct  a  new  vertical  profile  and  thus  deletes  the  stored 
vertical  profile.  However,  this  design  feature  leads  to  prob¬ 
lems  when  the  change  in  runway  is  merely  a  side  step  to  a 
parallel  runway.  In  this  case,  ATC  expects  the  pilot  to  re¬ 
tain  the  vertical  constraints  automatically  deleted  by  the 
FMC.  If  the  pilot  does  not  realize  the  constraints  have  been 
deleted  (as  research  shows  is  quite  often  the  case),  the  re¬ 
sult  is  a  failure  to  meet  an  assigned  altitude  restriction. 
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Second,  automatic  systems  do  not  always  clearly  com¬ 
municate  their  own  goals.  Automated  systems  often  pro¬ 
vide  a  great  deal  of  feedback  on  what  actions  they  are  tak¬ 
ing  but  little  information  on  why  they  are  taking  those 
actions. Feedback  on  machine  goals  is  especially  impor¬ 
tant  because  machine  actions  can  result  not  only  from 
goals  provided  by  the  pilot  but  also  from  goals  provided  by 
system  designers  and  other  agents.  As  demonstrated  by 
the  Nagoya  crash,  pilots  may  be  unable  to  resolve  conflicts 
without  knowledge  of  the  machine  goals  that  led  to  the  ob¬ 
served  discrepant  behavior. 

Third,  unlike  human  crew  members,  automated  systems 
often  lack  the  ability  to  clarify  ambiguous  or  misunderstood 
instructions.  This  is  especially  true  when  full  understanding 
requires  knowledge  of  other  pilot  goals  and  intentions.^®  For 
example,  in  the  1995  crash  of  a  B757  en  route  to  Cali, 
Colombia,  the  crew  was  cleared  to  proceed  directly  to  a  point 
named  “Rozo.”  Due  to  crew  confusion  over  waypoint  desig¬ 
nators,  the  crew  entered  “R”  into  the  FMC  instead  of  the  re¬ 
quired  Rozo.  Unfortunately  the  point  “R”  corresponded  to  a 
nondirectional  radio  beacon  (NDB)  located  near  Bogota,  ap¬ 
proximately  100  miles  in  the  opposite  direction  of  intended 
landing.  Since  the  FMC  was  unable  to  detect  the  ambiguity 
inherent  in  a  command  to  turn  in  the  opposite  direction  of 
the  landing  airport,  the  FMC  dutifully  followed  this  command 
and  executed  a  nearly  180-degree  course  reversal  while  de¬ 
scending  in  mountainous  terrain,  resulting  in  a  fatal  impact 
with  terrain.®^ 

Fourth,  automated  systems  do  not  give  clear  indications 
when  they  are  approaching  the  limits  of  their  capability.®® 
While  human  performance  often  degrades  gradually,  thus 
giving  other  team  members  time  to  detect  and  compensate 
for  impending  failure,  machine  systems  often  give  up  sud¬ 
denly  without  warning.  As  a  result,  pilots  may  have  insuf¬ 
ficient  time  to  plan  and  compensate  for  machine  failure. 
For  example,  a  China  Air  Lines  B747  experienced  engine 
failure  above  three-engine  altitude  cruise  altitude  off  the 
coast  of  San  Francisco.  While  the  aircraft  slowly  deceler¬ 
ated,  the  autopilot  was  forced  to  provide  increasing  control 
force  to  keep  the  wings  level.  Since  the  indications  of  au¬ 
topilot  effort  were  difficult  to  determine,  when  the  crew 
disengaged  the  autopilot  they  were  caught  off  guard  by  the 
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control  inputs  required  to  hold  level  flight,  resulting  in  a 
30,000-foot  altitude  loss  and  structural  damage  prior  to 
recovery.^® 

Due  to  limited  machine  inferential  and  communication 
abilities,  machines  cannot  share  the  responsibility  for  co¬ 
ordinating  human  and  machine  actions.  As  a  result,  the 
need  to  coordinate  the  actions  of  automated  systems 
places  additional  knowledge  and  attentional  demands  on 
the  human  operator.  In  other  words,  the  human  operator 
is  responsible  for  knowing  how  a  machine  will  act  in  a 
given  situation  but  must  be  able  to  monitor  for  pending 
conflicts  with  or  between  the  large  number  of  automated 
cockpit  systems.  Many  of  these  conflicts  arise  due  to  in¬ 
herently  limited  machine  communication  and  inferential 
abilities  that  cause  automated  systems  to  misinterpret  or 
make  incorrect  inferences  regarding  human  intentions. 

Factors  Affecting  Human 
Coordination  Activities 

Effective  integration  of  automated  systems  requires  an 
understanding  of  the  factors  that  may  serve  to  limit  the 
pilot’s  capacity  to  meet  the  demands  of  coordinating 
human  and  machine  actions.  In  general,  research  indi¬ 
cates  that  most  breakdowns  in  human-machine  coordina¬ 
tion  occur  in  high  workload,  high  time  pressure,  and  un¬ 
familiar  situations. 

Workload 

The  amount  of  cognitive  workload  imposed  by  auto¬ 
mated  systems  affects  the  pilot’s  ability  to  program,  moni¬ 
tor,  and  intervene  with  automated  systems.  The  relation¬ 
ship  between  human  performance  and  workload  generally 
follows  an  inverted  U-shaped  function  known  as  the 
Yerkes-Dodson  law.^^  In  general,  human  performance  is 
poor  in  conditions  of  both  low  and  high  workload,  with  op¬ 
timum  performance  occurring  at  moderate  levels.  Thus, 
workload  can  harm  human  performance  in  two  ways — by 
raising  or  lowering  pilot  workload  away  from  optimum  lev¬ 
els.  When  workload  is  too  low,  boredom  decreases  the 
pilot’s  ability  to  monitor  automated  systems.  Conversely, 
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when  workload  is  too  high,  a  phenomenon  known  as  cog¬ 
nitive  tunneling  is  likely  to  occur,  which  serves  to  limit 
human  performance.^^  Under  cognitive  tunneling,  humans 
tend  to  focus  on  a  relatively  small  number  of  salient  cues 
and  ignore  other  information  sources.  As  a  result,  pilots 
may  fail  to  detect  the  need  to  intervene  in  automated  sys¬ 
tem  performance,  or  may  be  unable  to  consider  the  factors 
required  to  adequately  program  automated  systems.  Cog¬ 
nitive  tunneling  is  one  explanation  for  the  1972  crash  of  an 
Eastern  Airlines  L-101 1  in  the  Florida  everglades  in  which 
preoccupation  with  a  burned-out  landing  gear  indicator 
prevented  the  crew  from  detecting  a  gradual  descent  into 
the  terrain. 

While  automated  systems  are  often  intended  to  reduce 
pilot  workload,  research  indicates  that  the  introduction  of 
glass  cockpit  aircraft  has  had  little  effect  on  overall  pilot 
workload.  The  introduction  of  automated  systems  tends  to 
redistribute,  rather  than  reduce,  pilot  workload."^"^  The  gen¬ 
eral  trend  for  cockpit  automation  is  to  reduce  workload  when 
it  is  already  low  (at  cruise)  and  increase  workload  when  it  is 
already  high  (during  departure  and  arrival),  a  phenomenon 
known  as  “clumsy  automation.  This  workload  distribution 
is  due,  in  large  part,  to  the  high  cognitive  demands  imposed 
by  planning  and  instructing  automated  systems  (i.e.,  the  de¬ 
mands  of  data  entry  associated  with  the  frequent  route  and 
altitude  changes  occurring  in  the  terminal  area). 

Time  Pressure 

The  previously  described  crash  of  a  B757  en  route  to 
Cali,  Colombia,  illustrates  the  effects  of  time  pressure  on 
the  pilot’s  ability  to  instruct  and  monitor  automated  sys¬ 
tems.  In  this  case,  the  crew  was  under  considerable  time 
pressure  due  to  pilot  acceptance  of  an  unanticipated  clear¬ 
ance  to  fly  a  straight-in  approach  to  the  south  (as  opposed 
to  overflying  the  field  for  an  approach  to  the  north).  When 
the  automated  systems  were  mistakenly  programmed  to  fly 
direct  to  the  Romeo  NDB  (as  opposed  to  Rozo),  it  took  the 
crew  almost  one  minute  to  realize  that  they  were  proceed¬ 
ing  almost  180  degrees  off  of  the  desired  course.^® 

Time  pressure  has  several  effects  on  the  pilot’s  ability  to 
interact  with  automated  systems.  A  review  of  judgments  and 
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decision  making  under  time  pressure  found  that  as  time 
pressure  increases:  (1)  people  tend  to  use  less  information  or 
use  available  information  in  a  more  shallow  manner,  (2)  more 
important  sources  of  information  are  given  increasing 
weight,  (3)  people  tend  to  lock  in  on  one  strategy  and,  as  a  re¬ 
sult,  (4)  performance  decreases. In  general,  these  studies 
suggest  that  as  time  pressure  increases,  pilots  will  consider 
less  of  the  available  evidence  when  instructing,  monitoring, 
and  intervening  with  automated  systems  and  may  also  seek 
less  cognitively  demanding  methods  of  arriving  at  these  deci¬ 
sions — ^which  may  lead  to  breakdowns  in  human-machine 
coordination.  For  example,  a  1999  simulator  study  found 
that  time  pressure  significantly  reduced  pilots’  ability  to  de¬ 
tect  problems  with  the  automated  implementation  of  data- 
link  ATC  clearances.^® 

Situational  Awareness 

In  order  to  anticipate  the  actions  of  automated  systems, 
the  pilot  must  have  good  situational  awareness  (i.e., 
knowledge  of  the  current  and  projected  aircraft  state  and 
associated  variables).  Since  automated  systems — and  not 
the  pilot — actually  control  the  aircraft,  the  pilot  may  fail  to 
develop  an  accurate  mental  picture  of  aircraft  state  and 
important  information  needed  to  control  the  aircraft.  Thus, 
the  introduction  of  automated  systems  can  lead  to  poor 
situational  awareness  resulting  in  problems  instructing, 
monitoring,  and  intervening  in  automated  systems.  These 
will  be  discussed  in  turn. 

Poor  situational  awareness  can  lead  to  problems  in¬ 
structing  automated  systems.  For  example,  problems  of 
mode  error  (i.e.,  pilot  actions  inappropriate  for  the  given 
aircraft  mode  such  as  the  previously  described  Strasbourg 
accident)  can  contribute  to  poor  situational  awareness. 
Second,  as  indicated  previously,  pilot  monitoring  in  auto¬ 
mated  aircraft  is  based  primarily  on  expectations  of  air¬ 
craft  performance.^®  A  lack  of  situational  awareness  re¬ 
garding  aircraft  state  or  the  presence  of  potential  threats 
can  lead  to  the  failure  to  detect  the  need  to  intervene.  For 
example,  problems  with  situational  awareness  contributed 
to  the  previously  described  Cali  crash.  Due,  in  part,  to  the 
automated  removal  of  certain  navigation  information 
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shown  on  the  cockpit  displays  following  a  change  in  way- 
points,  as  well  as  a  reliance  on  the  autopilot/FMC  for  nav¬ 
igation,  the  crew  was  unsure  of  aircraft  position,  as  well  as 
the  position  of  nearby  waypoints.  As  a  result,  the  crew  was 
unaware  of  the  close  proximity  of  steeply  rising  terrain.®^ 

Poor  situational  awareness  can  also  lead  to  problems 
with  successfully  intervening  in  automated  system  ac¬ 
tions — a  phenomenon  known  as  “out  of  the  loop  syn¬ 
drome. T]^e  1999  simulator  study  also  found  that  the  in¬ 
troduction  of  an  automated  system  that  automatically 
loaded  data-link  clearances  into  the  FMC  and  MCP  re¬ 
sulted  in  a  decreased  pilot  knowledge  of  current  aircraft 
state,  thus  delaying  actions  to  intervene  in  undesired  per¬ 
formance.  In  this  study,  pilots  using  this  automated  sys¬ 
tem  were  less  likely  to  detect  a  clearance  to  descend  to  an 
altitude  above  the  current  altitude.  When  the  problem  (an 
unexpected  climb)  was  encountered,  the  lack  of  knowledge 
of  current  altitude  resulted  in  delayed  or  misdirected  in¬ 
tervention  (e.g.,  attempts  to  troubleshoot  a  presumed 
faulty  autopilot). 

Since  automated  systems  assume  the  role  of  directly 
controlling  aircraft  performance,  pilots  may  encounter 
problems  developing  the  situational  awareness  required  to 
instruct,  monitor,  and  intervene  in  system  performance. 
However,  the  introduction  of  automated  systems  does  not 
always  lead  to  decreased  situational  awareness.  Instead,  it 
appears  that  the  effects  on  situational  awareness  depend 
on  the  interaction  with  changes  in  pilot  workload.  Studies 
involving  failure  detection  during  autopilot  coupled  with 
instrument  approaches  shows  that  automation  may  im¬ 
prove  pilot  performance  to  the  extent  that  it  decreases 
workload  while  not  detracting  from  the  system  feedback 
available  to  the  pilot.  Other  research  suggests  that  the 
introduction  of  automated  systems  may  allow  pilots  to  de¬ 
velop  a  better  awareness  of  the  strategic  situation  (knowl¬ 
edge  of  the  general  route  of  flight  in  relation  to  other  way- 
points  or  hazards)  because  the  automated  systems  free  the 
pilot  from  concentrating  on  the  tactical  details  of  control¬ 
ling  system  operation.^® 

The  bottom  line  is  that  the  introduction  of  automated  sys¬ 
tems  may  either  help  or  hurt  pilot  performance,  depending 
on  the  tradeoff  between  reductions  in  pilot  workload  and  po- 
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tential  decreases  in  pilot  awareness  of  system  operations. 
Additionally,  the  introduction  of  automated  control  systems 
may  allow  for  reduced  pilot  awareness  of  the  details  of  sys¬ 
tems  operations,  but  the  reduction  in  workload  associated 
with  automated  system  control  may  free  the  pilot  to  focus  at¬ 
tention  on  higher-level  problems.  In  order  to  assess  the  pos¬ 
itive  or  negative  effects  of  automation  on  human  perform¬ 
ance,  system  designers  and  operators  must  consider  the 
effects  of  automation  on  pilot  workload,  as  well  as  the  con¬ 
sequences  for — ^and  relative  importance  of — tactical  and 
strategic  situational  awareness. 

Machine  Factors  Affecting 
Human-Machine  Coordination 

In  addition  to  the  factors  that  have  a  direct  effect  on  pilot 
performance,  research  also  indicates  that  many  features  of 
modem  automated  systems  also  contribute  to  breakdowns 
in  human-machine  coordination.  Automated  systems  have 
evolved  from  simple  systems  that  carried  out  relatively  un¬ 
complicated  functions  (e.g.,  early  autopilot  systems  did  little 
more  than  hold  heading  and  altitude)  into  very  powerful 
agent-like  systems  that  carry  out  multiple  functions  and  pur¬ 
sue  complicated  goal-oriented  tasks  (e.g.,  the  modern  au¬ 
topilot  or  FMC  can  plan  and  execute  complicated  flight  path 
trajectories).  Research  indicates  that  these  highly  capable 
modem  systems  possess  several  attributes — authority,  au¬ 
tonomy,  complexity,  coupling,  and  low  observability — that 
contribute  to  breakdowns  in  human-machine  coordination.^® 
A  better  understanding  of  the  impact  of  these  factors  will 
allow  for  designers  and  operators  to  make  better  informed 
design  decisions  regarding  those  factors  that  can  be  con¬ 
trolled  and  to  implement  more  effective  measures  to  control 
the  risks  posed  by  those  factors  that  cannot  be  designed  out 
of  future  automated  systems. 

Authority 

Authority  describes  the  ability  of  the  automated  system 
to  override  or  block  human  input.  Automated  system  au¬ 
thority  is  often  intended  to  prevent  unsafe  operation  (e.g., 
systems  that  prevent  over  speed  or  under  speed  condi- 
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tions)  or  is  intended  to  prevent  human  actions  from  inter¬ 
fering  with  automated  systems  operation  (e.g.,  trim  sys¬ 
tems  that  lock  out  pilot  input  while  the  autopilot  is  en¬ 
gaged).  However,  high  levels  of  system  authority  may  also 
prevent  the  pilot  from  intervening  in  the  case  of  undesired 
system  operation.  As  noted  in  the  previously  described 
A320  crash  during  a  flight  demonstration,  the  pilot  could 
not  override  the  preprogrammed  flight  limits  when  such  a 
response  was  required  to  prevent  impact  with  the 
ground.^® 

At  a  general  level,  high  levels  of  machine  authority  may 
place  the  pilot  in  what  is  known  as  the  responsibility-au¬ 
thority  double  bind.  This  situation  occurs  when  the 
human  operator  has  the  responsibility  for  system  opera¬ 
tion  but  does  not  have  the  authority  to  take  all  necessary 
control  actions.®®  Research  across  a  range  of  domains 
shows  that  this  split  between  authority  and  responsibility 
leads  to  poor  system  operation.®®  In  the  case  of  the  mod¬ 
ern  cockpit,  the  pilot  in  command  has  the  legal  and  moral 
responsibility  for  ensuring  safe  and  effective  operations; 
yet  in  some  cases,  he  may  lack  the  ability  to  override  the 
actions  of  automated  systems.  This  lack  of  authority 
means  that  in  order  to  coordinate  human  and  machine  ac¬ 
tions,  the  pilot  must  anticipate  some  conflicts  before  they 
occur  since  he  or  she  may  not  be  able  to  intervene  after  the 
fact.  Given  the  complexity  of  automated  systems,  human 
cognitive  limits,  the  dynamic  nature  of  the  environment, 
and  the  possibility  of  machine  malfunction,  it  will  be  im¬ 
possible  for  the  pilot  to  anticipate  machine  actions  in  all 
situations.  While  good  system  design  can  minimize  the 
number  of  situations  in  which  pilots  may  have  a  legitimate 
reason  to  override  machine  actions,  analysis  indicates  that 
designers  cannot  anticipate  every  possible  situation.®^ 

There  are  three  general  ways  in  which  machines  may  limit 
pilot  authority.  First,  the  most  obvious  situation  occurs  when 
pilots  are  physically  unable  to  override  machine  actions.  For 
example,  most  fly-by-wire  aircraft  incorporate  features  that 
prevent  over  speeding  or  overstressing  the  airframe.  Second, 
pilot  authority  is  also  limited  when  the  human  effort  required 
to  override  machine  systems  exceeds  his  or  her  capabilities. ®2 
For  example,  automated  decision-making  aids  may  usurp 
pilot  authority  when  the  complexity  of  their  decision 
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processes  exceeds  the  capacity  of  the  human  operator  to  as¬ 
sess  accurately  the  validity  of  the  decision.  One  study  of  pilot 
interaction  with  a  complex  cockpit  flight  plarming  aid  showed 
that  pilots  often  followed  risky  flight  planning  suggestions 
when  the  automated  system  failed  to  consider  the  projected 
track  of  hazardous  weather.®^  Third,  relative  difficulties  re¬ 
programming  automated  systems  can  also  limit  pilot  author¬ 
ity.  A  study  of  glass  cockpit  pilots  found  that  more  than  75 
percent  of  reported  problems  overriding  automated  systems 
dealt  with  difficulties  reprogramming  automated  systems 
rather  than  difficulties  assuming  manual  control.®^ 

Autonomy 

Autonomy  refers  to  the  capability  of  automated  systems 
to  operate  for  long  periods  of  time  with  minimal  operator 
input.®®  For  example,  once  programmed  during  pretaxi  op¬ 
erations,  the  FMC  can  provide  navigational  guidance  for 
the  duration  of  the  flight.  System  autonomy  creates  prob¬ 
lems  by  increasing  the  time  delay  between  control  input 
and  associated  systems  response.  As  this  time  delay  in¬ 
creases,  the  probability  of  error  detection  decreases.®®  Be¬ 
cause  human  memory  decays  with  time,  it  becomes  in¬ 
creasingly  difficult  for  the  operator  to  generate  the 
expectations  required  to  monitor  system  performance  ef¬ 
fectively.  This  problem  is  exacerbated  in  long-haul  flights 
in  which  relief  crew  members  swap  out  during  flight.  In 
this  case,  the  relief  crew  members  monitor  system  behav¬ 
ior  that  may  be  the  result  of  inputs  made  by  a  different 
crew  member.  That  input  may  perhaps  be  incorrect  or  may 
use  techniques  not  desired  by  the  present  crew. 

Complexity 

As  automated  systems  grow  more  powerful,  they  are 
also  more  complex  both  in  terms  of  the  number  of  auto¬ 
mated  components  as  well  as  the  calculations  required  to 
produce  system  behavior.  ®’^  This  complexity  makes  it  diffi¬ 
cult  or  impossible  for  the  pilot  to  understand  and  predict 
system  behavior.  Since  an  appropriate  mental  model  of  au¬ 
tomated  system  operations  is  required  for  instructing, 
monitoring,  and  intervening  in  system  behavior,  system 
complexity  can  lead  to  problems  in  each  of  these  areas. 
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Surveys  indicate  that  pilots  often  do  not  completely  under¬ 
stand  the  operation  of  automated  systems,  often  leading  to 
instances  of  undesired  system  behavior.®®  The  effects  of 
complexity  on  the  pilot’s  ability  to  control  system  behavior 
may  interact  with  pilot  experience.  A  1999  study  found 
that  pilots  with  600-1,500  hours  in  the  current  airframe 
were  least  likely  to  detect  the  inappropriate  behavior  of  an 
automated  data-link  system.  This  may  be  due  to  a  relative 
inability  to  generate  an  adequate  set  of  expectations  re¬ 
garding  system  behavior  as  a  result  of  a  limited  basis  of 
personal  experience  which  is  not  sufficient  to  compensate 
for  lessons  forgotten  since  going  through  initial  training.®® 

Coupling 

Closely  related  to  complexity,  coupling  refers  to  inter¬ 
connections  between  system  components.^®  Many  auto¬ 
mated  systems  components  receive  inputs  from  and  give 
commands  to  a  number  of  interrelated  subsystems.  Figure 
2  indicates  the  relation  of  the  FMC  to  other  cockpit  sys¬ 
tems.  Coupling  contributes  to  breakdowns  in  human-ma¬ 
chine  systems  by  limiting  the  pilot’s  ability  to  generate  an 
accurate  mental  model  of  automated  system  actions.  This 
situation  interferes  with  instructing,  monitoring,  and  in¬ 
tervening  with  automated  systems.  This  is  especially  true 
since  coupling  often  leads  to  automated  systems  doing 
more  than  expected  by  pilots — a  situation  that  is  particu¬ 
larly  difficult  to  detect.  Research  shows  that  since  pilots 
monitor  systems  primarily  on  the  basis  of  their  expecta¬ 
tions  of  system  behavior,  pilots  often  do  not  monitor  for 
and  thus  do  not  detect  these  situations. 

Low  Observability 

Automated  systems  often  provide  inadequate  feedback 
regarding  their  actions.  The  problem  is  not  that  indications 
do  not  exist,  rather  the  problem  is  that  the  indications  that 
do  exist  require  an  excessive  amount  of  effort  for  the  pilot 
to  monitor  and  process — a  phenomenon  known  as  low  ob¬ 
servability.  It  is  not  enough  to  merely  present  informa¬ 
tion;  instead,  given  the  large  amount  of  information  avail¬ 
able  to  the  operator,  the  system  must  draw  operator 
attention  to  the  information  and  present  it  in  a  manner 
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ADF — automatic  direction  finder/finding 
DME — direct  machine  environment 
iLS — instrument  ianding  system 
VOR — voice-operated  recorder 

Figure  2.  Systems  Coupled  to  the  Flight  Management  Com¬ 
puter 


that  is  clear  and  easy  to  understand.  In  the  Air  China  in¬ 
cident,  the  information  required  to  allow  pilots  to  deter¬ 
mine  that  the  autopilot  was  reaching  the  limits  of  its  con¬ 
trol  authority  was  available  to  the  pilots,  but  it  was  not 
observable.  Since  the  cockpit  displays  did  not  draw  pilot 
attention  to  the  relevant  information,  the  pilots  had  to  not 
only  realize  the  need  to  check  the  data  but  also  had  to  re¬ 
member  where  the  information  was  displayed.  The  pilots 
would  have  had  to  take  the  additional  step  of  comparing 
actual  indications  to  their  memory  of  the  autopilot  limits, 
since  the  display  did  not  indicate  the  limits  of  autopilot  au¬ 
thority. 
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In  addition  to  monitoring  difficulties,  low  observability 
can  also  lead  to  problems  instructing  and  intervening  in 
automated  system  behavior.  In  the  instruction  phase, 
mode  errors  often  occur  when  pilots  are  not  aware  of  the 
current  aircraft  mode  as  pointed  out  by  the  previously  de¬ 
scribed  Strasbourg  crash.’’®  Additionally,  as  pointed  out  by 
the  Nagoya  crash,  the  inability  to  determine  the  current 
mode  status  can  lead  to  an  inability  to  successfully  inter¬ 
vene  in  automated  system  behavior. 

The  attributes  of  many  highly  capable  automated  sys¬ 
tems  can  contribute  to  problems  instructing,  monitoring, 
and  intervening  in  automated  system  action.  These  factors 
ail  work  against  the  pilot’s  ability  to  develop  an  accurate 
mental  model  of  system  behavior  and  make  it  difficult  to 
predict  future  behavior.  While  low  observability  can  be  cor¬ 
rected  through  the  application  of  appropriate  human  fac¬ 
tors  principles,  system  design  is  less  able  to  limit  the  ef¬ 
fects  of  coupling,  complexity,  autonomy,  and  authority  of 
automated  systems.  Instead,  a  design  decision  must  be 
made  whether  the  risks  associated  with  a  given  system  can 
be  sufficiently  countered  by  a  systematic  attempt  to  con¬ 
trol  the  risks  associated  with  implementing  new  auto¬ 
mated  systems. 

Mitigating  the  Risk  of  Automated  Systems 

There  is  no  silver  bullet  in  the  effort  to  mitigate  the  risks 
posed  by  automated  systems.  Since  accidents  and  inci¬ 
dents  are  not  isolated  actions,  but  instead  the  product  of  a 
chain  of  events,  preventive  efforts  must  focus  on  a  variety 
of  actions.  James  T.  Reason’s  model  of  system  failures  and 
defenses  in  depth  provides  a  useful  means  of  visualizing 
this  process.  Figure  3  depicts  accidents  and  incidents  as 
the  process  in  which  managerial  decisions  (budgeting,  pri¬ 
orities,  and  hiring  practices)  serve  as  enabling  conditions 
for  unsafe  acts  which  are  expressed  as  accidents  when 
they  pierce  weaknesses  and  failures  in  a  series  of  system 
defenses  (design,  training,  procedures,  etc.)  designed  to 
guard  against  system  failures.’^  Accidents  and  incidents 
result  when  a  chain  of  actions  form  a  vector  that  pene¬ 
trates  these  defenses. 
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Figure  3.  Defenses  in  Depth 


Since  a  complete  treatment  of  this  model  is  beyond  the 
scope  of  this  paper,  the  author  focuses  on  the  defenses  in 
depth  rather  than  decisions  made  at  various  managerial 
levels.  The  defenses  in  depth  can  be  thought  of  as  features 
of  design,  procedures,  and  training,  which  are  aimed  to 
mitigating  the  risks  previously  identified. 

Difficulties  in  Human-Machine  Coordination 

This  paper  identifies  four  basic  problems  with  human- 
machine  coordination  activities:  machines  cannot  (a)  sense 
operator  goals,  (b)  communicate  their  own  goals,  (c)  identify 
or  correct  misunderstandings,  and  (d)  communicate  when 
approaching  the  limits  of  their  capability.  A  series  of  over¬ 
lapping  design,  procedural,  and  training  measures  must  be 
employed  to  counteract  these  coordination  problems. 

Current  research  in  cockpit  automation  addresses  de¬ 
sign  solutions  to  these  problems.  In  order  for  automated 
systems  to  share  the  responsibility  for  coordinating 
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human  and  machine  actions,  they  must  possess  a  better 
knowledge  of  pilot  goals  and  actions.  The  “agenda  man¬ 
ager”  is  one  effort  in  this  direction.^® This  system  uses  in¬ 
formation  about  pilot  statements  and  actions  to  infer  pilot 
goals.  It  then  compares  these  goals  to  the  goals  and  ac¬ 
tions  of  automated  systems  to  detect  conflicts  and  identify 
potential  misunderstandings.  While  this  effort  is  only  par¬ 
tially  successful  to  date,  it  represents  an  important  direc¬ 
tion  for  future  design. 

Flight  procedures  must  also  compensate  for  the  inabil¬ 
ity  of  machine  systems  to  participate  in  the  coordination 
process.  Procedures  that  require  the  second  crew  member 
to  confirm  inputs  to  automated  systems  are  one  step  in 
this  direction.  However,  research  indicates  that  since  both 
crew  members  share  a  similar  awareness  of  the  environ¬ 
ment  and  the  automated  system,  relatively  few  errors  are 
caught  by  the  second  crew  member.^®  Therefore,  proce¬ 
dures  must  consider  the  contribution  made  by  other  com¬ 
ponents  of  the  aviation  system  such  as  air  traffic  con¬ 
trollers  and  dispatchers. 

Training  must  emphasize  and  demonstrate  the  limits  of 
machine  coordination  and  communication  abilities.  In  order 
to  train  pilots  on  these  machine  limits,  they  must  be  ex¬ 
posed  to  these  situations  in  a  realistic  manner.  Unfortu¬ 
nately,  since  simulator  time  is  limited  (and  expensive),  it  is 
often  impossible  to  provide  this  training  in  the  simulator. 
Often,  it  is  assumed  that  pilots  will  learn  this  knowledge 
during  line  operations.  As  an  alternative,  the  technology  ex¬ 
ists  to  replicate  important  cockpit  control  systems  on  an  in¬ 
teractive  desktop  part-task  trainer.  Using  this  technology, 
pilots  could  learn  machine  coordination  limitations  via  a  set 
of  predefined  illustrative  scenarios  flown  on  desktop  com¬ 
puters  in  flying  units  or  at  home  on  personal  computers. 

Human  Limitations 

This  paper  identifies  three  major  limitations  to  the 
human’s  ability  to  control  automated  systems — time  pres¬ 
sure,  workload,  and  situational  awareness.  From  a  design 
standpoint,  care  must  be  taken  to  look  not  only  at  the  ef¬ 
fects  on  overall  workload  but  also  on  workload  distribu¬ 
tion.  Workload  should  not  be  allowed  to  concentrate  in 
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areas  that  are  already  effort  intensive.  Displays  must  also 
be  designed  to  support  situational  awareness  by  indicating 
elements  of  current  and  future  aircraft  performance.  Re¬ 
search  in  mode  error  indicates  the  relative  importance  of 
highlighting  performance  and  mode  changes. Procedures 
must  also  be  designed  to  compensate  for  known  human 
limitations.  For  example,  since  human  performance  is 
substantially  degraded  under  time  pressure,  procedures 
should  be  designed  to  promote  adequate  time  available  to 
program,  monitor,  and  intervene  with  automated  systems. 
Additionally,  since  monitoring  is  often  ineffective  in  detect¬ 
ing  the  need  to  intervene  in  automated  system  actions,^® 
procedures  should  focus  attention  on  fostering  error  de¬ 
tection  during  the  instruction  process.  Finally,  training 
must  stress  and  demonstrate  the  importance  of  time  and 
workload  management. 

Machine  Factors 

The  autonomy,  authority,  complexity,  coupling,  and  low 
observability  of  many  automated  systems  make  it  difficult 
for  the  pilot  to  develop  an  accurate  mental  model  of  auto¬ 
mated  systems.  From  a  design  point  of  view,  the  problem 
with  automation  is  “inappropriate  feedback  and  interac¬ 
tion,  not  overautomation.  Automated  systems  often  do 
not  provide  adequate  feedback  on  their  actions  or  inten¬ 
tions.  As  a  result,  the  pilot  cannot  develop  an  adequate 
mental  model  of  system  operations  required  to  instruct, 
monitor,  and  intervene  in  system  activities.  Inappropriate 
interaction  occurs  when  automated  systems  do  not  sup¬ 
port  pilot  efforts  to  coordinate  or  override  automated  ac¬ 
tions.  Often  automated  systems  must  be  complex,  cou¬ 
pled,  and  autonomous  in  order  to  accomplish  their 
intended  roles.  As  a  result,  design  efforts  should  focus  on 
system  observability  (feedback)  and  coordinative  abilities 
(authority) . 

There  are  three  general  approaches  to  address  problems 
with  system  observability,  all  of  which  seek  to  minimize  the 
effort  required  to  interpret  displayed  information.  First, 
automated  systems  must  communicate  both  what  they  are 
doing  and  why  they  are  doing  it.  For  example,  the  develop¬ 
ment  of  vertical  situation  displays  will  allow  pilots  to  bet- 
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ter  understand  and  visualize  vertical  path  information.®® 
Also,  given  the  autonomy  and  authority  of  automated  sys¬ 
tems  that  may  prevent  or  deter  pilot  intervention  after  the 
fact,  feedback  must  be  provided  on  the  future  intentions 
and  actions  of  automated  systems,  especially  in  regards  to 
mode  changes. ®i 

Second,  feedback  must  also  be  designed  to  reduce  the 
effort  required  to  detect  relevant  information  and  ascertain 
its  importance.  Automated  systems  must  draw  pilot  infor¬ 
mation  to  the  relevant  information  by  changes  in  color,  in¬ 
tensity,  auditory  alerts,  et  cetera.  This  is  especially  critical 
when  access  to  the  relevant  information  is  likely  to  require 
pilot-activated  display  changes  to  view  the  information 
(e.g.,  information  on  the  EICAS  or  in  the  FMC).  Addition¬ 
ally,  information  should  be  formatted  to  allow  easy  pro¬ 
cessing.  When  integration  of  several  parameters  is  re¬ 
quired  (such  as  evaluating  a  given  vertical  path),  numeric 
information  is  often  more  difficult  to  process  than  a 
graphic  depiction  of  the  same  data.®^ 

Third,  design  must  also  carefully  consider  any  limita¬ 
tions  on  pilot  authority.  As  discussed  previously,  these 
limits  may  be  either  due  to  the  physical  inability  to  over¬ 
ride  automated  systems  or  may  arise  when  pilot  override  is 
possible  but  limited  by  difficulties  in  understanding  ma¬ 
chine  actions  or  determining  the  desired  method  of  alter¬ 
ing  machine  performance.  When  pilots  cannot  adequately 
assess  the  acceptability  of  machine  actions,  they  will  likely 
either  blindly  accept  machine  actions  or  inappropriately 
intervene  in  correct  machine  behavior.  In  order  to  address 
these  problems,  design  (and  test  and  evaluation)  must 
identify  and  minimize  limits  to  pilot  authority.  When  pilot 
authority  is  limited,  the  benefits  (i.e.,  stall  prevention) 
must  outweigh  the  potential  costs.  Once  limitations  to 
pilot  authority  have  been  identified,  procedures  and  train¬ 
ing  should  be  developed  to  identify  and  preclude  inten¬ 
tional  operation  in  these  regions. 

Conclusion 

While  the  introduction  of  the  exceedingly  capable  auto¬ 
mated  cockpit  has  provided  important  contributions  to  sys- 
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tern  safety,  precision,  and  efficiency,  it  has  also  imposed  sys¬ 
tem  costs  in  the  forms  of  new  opportunities  for  error  that  are 
expressed  as  breakdowns  in  human-machine  coordination. 
With  the  introduction  of  automated  systems,  the  role  of  the 
pilot  has  changed  from  system  controller  to  system  supervi¬ 
sor  responsible  for  instructing,  monitoring,  and  intervening 
with  automated  systems.  An  analysis  of  these  roles  as  well  as 
the  capabilities,  limitations,  and  characteristics  of  human 
and  machine  members  of  the  cockpit  team  reveals  the  areas 
of  greatest  risk  to  system  safety  and  performance  that  may 
be  associated  with  the  introduction  of  automated  cockpit 
systems  required  for  AMC  aircraft  to  operate  in  the  future  air 
traffic  environment. 

In  general,  problems  arise  from  the  growing  power — ^but 
limited  coordination  and  communication  abilities — of  cur¬ 
rent  automated  systems.  As  a  result,  the  human  operator 
is  solely  responsible  for  ensuring  cooperation  and  resolv¬ 
ing  conflict  between  human  and  machine  intentions  and 
actions.  Time  pressure,  workload,  and  problems  with  situ¬ 
ational  awareness  can  reduce  the  pilot’s  ability  to  execute 
these  coordination  responsibilities.  Additionally,  the  au¬ 
tonomy,  authority,  complexity,  coupling,  and  low  observ¬ 
ability  of  automated  systems  make  it  difficult  for  the  pilot 
to  understand  and  anticipate  machine  intentions  and  ac¬ 
tions.  In  order  to  compensate  for  these  known  risks  of  au¬ 
tomated  systems,  AMC  must  implement  a  system  of  de¬ 
fenses  in  depth  utilizing  design,  training,  and  procedural 
solutions  aimed  at  controlling  the  previously  identified  risk 
factors. 

The  issues  addressed  in  this  paper  are  not  unique  to 
transport  aircraft  or  the  broader  aviation  domain,  but  in¬ 
stead  generalize  to  any  system  that  incorporates  highly 
powerful,  agent-like  automated  systems.  One  large  area  of 
future  concern  is  the  armed  services’  joint  vision,  which 
will  require  the  integration  of  information  technology  into 
a  host  of  military  systems.®^  This  integration  will  depend 
heavily  on  automation  to  integrate,  manage,  process,  and 
synthesize  large  volumes  of  information.  The  issues  iden¬ 
tified  here  provide  an  important  first  step  for  ensuring  that 
we  realize  the  advantages  of  these  systems  while  mitigat¬ 
ing  the  new  opportunities  for  error  that  will  be  inherent  in 
the  information  revolution. 
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Appendix 


Flight  Management  Computer  (FMC) 

The  FMC  Control  Display  Unit  (FMC  CDU)  is  the  pilot’s 
interface  with  a  multifunction  computer  system  (FMC)  that 
allows  the  pilot  to  plan,  navigate,  and  control  the  aircraft. 
Through  interconnections  with  a  number  of  onboard  sys 
terns  and  sensors,  FMC  planning  features  provide  the  pilot 
with  weather  (winds  and  temperature),  fuel,  timing,  and 
performance  data  (optimal  altitudes,  takeoff  and  landing 
speeds,  etc.).  The  FMC  also  contains  a  worldwide  database 
of  navigational  and  instrument  approach  data  that,  when 
combined  with  satellite  or  inertial  position  information,  al 
lows  the  pilot  to  determine  aircraft  position  as  well  as  the 
relative  position  of  other  navigational  waypoints.  Finally, 
interfaces  with  the  autopilot  and  automatic  throttle  sys 
terns  allow  the  FMC  (depending  on  mode)  to  provide  steer 
ing,  altitude,  and  speed  commands  to  these  systems. 

The  FMC  CDU  allows  the  pilot  to  input  or  review  data  via 
a  menu  driven  architecture.  Figure  4  represents  the  FMC 
CDU  similar  to  the  one  in  the  Boeing  B757  aircraft.  Data 
presentation  is  limited  to  approximately  12  lines  of  data 
arranged  on  either  side  of  the  display  unit.  In  order  to  sup 
port  the  wide  range  of  functions  available,  the  FMC  em 
ploys  a  branching  menu  structure  in  which  pilots  can  ac 
cess  by  selecting  the  appropriate  function  key  (legs,  route, 
cruise,  etc.)  on  the  associated  data  entry  panel.  Once  a 
given  function  is  selected,  the  pilot  can  navigate  through 
the  associated  menu  pages  by  using  the  “prev  page”  and 
“next  page”  buttons.  Although  there  are  several  different 
manufacturers,  the  underlying  architecture,  controls,  and 
visual  presentation  are  highly  similar  across  different  FMC 
CDU  units. 

The  FMC  CDU  allows  the  pilot  to  input  a  desired  route 
of  flight,  vertical  profile,  and  speed  profile.  Route  of  flight 
information  may  be  entered  as  waypoints  (each  flight  is 
composed  of  a  set  of  many  waypoints)  on  the  appropriate 
page  of  the  FMC  CDU  via  either  manual  keyboard  entry  or 
selection  of  prestored  database  options  via  the  line  select 
keys  adjacent  to  the  display  screen.  Altitude  constraints 
(either  cruise  altitude  or  a  restriction  to  cross  a  horizontal 
waypoint  or  altitude  at  a  given  airspeed)  may  also  be  en 
tered  in  the  same  manner.  Aircraft  speed  may  be  controlled 
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Figure  4.  A  Typical  FMC  CDU 


by  either  directly  entering  a  speed  value  on  the  appropri 
ate  page,  or  by  selecting  a  default  speed  profile  (based  on 
fuel  economy  or  range  considerations) . 


Mode  Control  Panel  (MCP) 

The  FMC  CDU  is  not  the  only  means  by  which  the  pilot 
can  control  aircraft  speed,  heading,  and  altitude.  The  MCP 
(fig.  5)  allows  the  pilot  to  control  autothrottle  and  autopi 
lot  modes,  as  well  as  to  provide  heading,  altitude,  airspeed, 
and  vertical  speed  targets  to  these  systems.  Autopilot  and 
autothrottle  modes  are  selected  by  depressing  the  appro 
priate  buttons  (e.g.,  LNAV  [lateral  navigation],  VNAV  [verti 
cal  navigation],  FLCH  [flight  level  change],  etc.),  while  air 
speed,  altitude,  heading,  and  vertical  speed  values  are 
entered  into  the  appropriate  window  via  the  associated  se 
lector  knob.  Although  the  distinction  is  not  perfect,  the 
FMC  CDU  is  considered  a  “strategic”  interface  while  the 
MCP  is  considered  a  “tactical”  interface.  ^  The  FMC  CDU  is 
often  used  to  implement  actions  that  will  take  place  or  con 
tinue  relatively  far  into  the  future  (e.g.,  entering  changes  to 
the  route  of  flight),  while  the  MCP  is  often  used  to  imple 
ment  more  immediate  actions  such  as  flying  an  assigned 
heading  or  climbing  to  a  given  altitude.  Like  the  FMC, 
there  are  differences  among  manufacturers  and  models. 
However,  at  a  conceptual  level  most  MCP  functions  are 
very  similar. 

In  order  to  control  aircraft  performance  via  the  MCP,  the 
desired  target(s)  must  be  entered  into  the  appropriate  win 
dow(s),  and  the  appropriate  mode(s)  must  be  selected.  For 
example,  in  order  to  comply  with  the  clearance  “fly  head 
ing  180°,”  the  pilot  must  set  180  in  the  heading  window 
and  select  the  heading  mode  by  depressing  the  top  of  the 
heading  selector  knob.  There  is  a  significant  degree  of  cou 
pling  between  the  FMC  and  MCP,  as  well  as  between  au 
topilot  modes.  Some  autopilot  and  autothrottle  modes  au 
tomatically  activate  other  associated  modes,  while  some 
information  entered  into  the  FMC  will  not  be  acted  upon 
unless  the  appropriate  autopilot  mode  is  selected  on  the 
MCP.  For  example,  LNAV  and  VNAV  modes  must  be  se 
lected  on  the  MCP  in  order  for  the  autopilot  to  follow  the 
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Figure  5.  A  Typical  Mode  Control  Panel 


horizontal  and  vertical  guidance  commands  entered  into 
the  FMC.  Additionally,  in  some  cases  system  behavior  de 
pends  on  the  values  set  in  both  the  FMC  and  MCP.  For  ex 
ample,  when  descending  in  the  VNAV  autopilot  mode,  the 
controlling  altitude  will  be  the  highest  of  either  the  altitude 
set  in  the  MCP  or  an  altitude  restriction  set  in  the  FMC. 

Notes 

1.  Charles  E.  Billings,  Aviation  Automation:  The  Search  for  a  Human- 
Centered  Approach  (Hillsdale,  N.J.:  Lawrence  Erlbaum  Associates,  1997). 
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